memento-mori-jester 0.1.49 → 0.1.51

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to Memento Mori Jester are tracked here.
 
 ## Unreleased
 
+## 0.1.51
+
+- Added `docs/MAINTAINER_TRIAGE.md` with a repeatable flow for triaging bugs, false positives, security-sensitive reports, and fixture candidates.
+- Updated fixture docs so useful noisy-rule reports can become small redacted fixture cases instead of one-off anecdotes.
+- Expanded the production readiness guard so maintainer triage and fixture-conversion guidance stay present in future releases.
+
+## 0.1.50
+
+- Added `SECURITY.md` with vulnerability reporting guidance, supported-version expectations, scope, and redacted diagnostic guidance.
+- Added GitHub issue templates for bug reports, false-positive/noisy-rule reports, and feature requests.
+- Expanded the production readiness guard so `SECURITY.md`, issue templates, and support-intake docs stay present in future releases.
+
 ## 0.1.49
 
 - Expanded `jester doctor` into a support-focused diagnostic report covering package version, Node, MCP server file, review engine, config loading, git hook status, and generated GitHub Action status.

package/README.md

@@ -430,6 +430,8 @@ More setup examples:
 - [Preset Example Packs](examples/presets)
 - [Review Fixtures](examples/fixtures)
 - [Framework CI Examples](examples/ci)
+- [Security Policy](SECURITY.md)
+- [Maintainer Triage](docs/MAINTAINER_TRIAGE.md)
 - [Changelog](CHANGELOG.md)
 - [Roadmap](ROADMAP.md)
 - [Trusted npm Publishing](docs/TRUSTED_PUBLISHING.md)
@@ -491,6 +493,16 @@ Both scripts check Node 20+, run a smoke `doctor`, and print MCP config.
 - Final answers with "done/fixed/works" claims that do not mention evidence, or that admit tests were not run.
 - Project-specific commands, domains, and regex rules from `jester.config.json`.
 
+## Support
+
+When filing a bug, include redacted `jester doctor --json` output. The GitHub issue templates ask for the command, workflow step, config, and observed output so support does not start with guesswork.
+
+Use the false-positive template for noisy cautions or blocks. Include `jester summary` and `jester tune <rule-id> --json` output when possible so rule changes can be backed by evidence.
+
+Maintainers can use [docs/MAINTAINER_TRIAGE.md](docs/MAINTAINER_TRIAGE.md) to turn useful false-positive reports into redacted fixtures.
+
+For vulnerabilities, private code exposure, or credential-handling concerns, follow [SECURITY.md](SECURITY.md) instead of opening a public issue with sensitive details.
+
 ## Publishing
 
 Release checklist:

package/ROADMAP.md

@@ -6,6 +6,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Recently Shipped
 
+- Maintainer triage guide in v0.1.51 for turning useful false-positive reports into redacted fixture coverage.
+- Security policy and GitHub issue templates in v0.1.50 for bug reports, false positives, feature requests, and vulnerability intake.
 - Support-focused `doctor --json` diagnostics in v0.1.49 for package, config, hook, MCP, and GitHub Action state.
 - Production readiness checklist and static guard in v0.1.48 for package, workflow, docs, release, and support drift.
 - README onboarding polish in v0.1.47 around the shortest path from `npx` to playground, agent setup, hooks, and CI.
@@ -38,7 +40,8 @@ Memento Mori Jester is usable today as a CLI, MCP server, GitHub Action, and git
 
 ## Product Ideas
 
-- Add `SECURITY.md` and issue templates so diagnostics and bug reports are easier to collect.
+- Add more framework-specific false-positive examples from real reports so tuning guidance keeps getting sharper.
+- Add a fixture authoring validator for duplicate IDs, missing expected matches, and weak metadata.
 
 ## Quality And Safety
 

package/SECURITY.md

@@ -0,0 +1,48 @@
+# Security Policy
+
+Memento Mori Jester is a local CLI, MCP server, GitHub Action, and git-hook helper. It is designed to review text you provide locally; it should not send project code to a hosted service.
+
+## Supported Versions
+
+Security fixes target the latest npm release and the `main` branch.
+
+If you are using an older version, first confirm the issue still appears on the latest package:
+
+```powershell
+npx -y memento-mori-jester@latest doctor
+```
+
+## Reporting A Vulnerability
+
+Please do not put secrets, exploit details, private repository content, or live credentials in a public issue.
+
+Use GitHub's private vulnerability report flow when available:
+
+<https://github.com/Martin123132/Memento-Mori/security/advisories/new>
+
+If that flow is unavailable, open a minimal public issue asking for a private security contact, but do not include sensitive details.
+
+Helpful report details:
+
+- affected package version and install method,
+- operating system and Node version,
+- the command, GitHub Action, MCP setup, hook, or installer path involved,
+- the expected behavior and the observed behavior,
+- whether credentials, private code, generated SARIF, or CI logs are involved,
+- redacted `jester doctor --json` output.
+
+## Scope
+
+Useful security reports include:
+
+- command execution or shell-injection risks in CLI, hooks, installers, or GitHub Action paths,
+- unexpected network access or code disclosure,
+- unsafe handling of config, SARIF, fixture, or diagnostic output,
+- supply-chain or package-publishing concerns,
+- MCP server behavior that could expose more data than the caller provided.
+
+Reports about noisy rules or false positives are welcome too, but use the false-positive issue template unless there is a concrete vulnerability.
+
+## Handling Notes
+
+This is a small project, so response times are best effort. Security reports get priority over normal bugs, and fixes should preserve the project's local-first, deterministic behavior wherever possible.

package/docs/CLI.md

@@ -51,6 +51,8 @@ jester doctor --json
 
 Use `jester doctor --json` when filing an issue or debugging automation. It includes stable keys for package version, Node version, MCP server path, review-engine health, config mode/path, hook status, and generated workflow status.
 
+The bug-report issue template asks for this redacted JSON so maintainers can separate install, config, hook, MCP, and GitHub Action problems quickly.
+
 ## Playground
 
 Start a local-only paste-in playground:
@@ -154,6 +156,8 @@ Use `jester rule <id>` before muting a rule. It explains why the rule exists, co
 
 Use `jester tune <id>` when the question is practical: should this noisy rule be muted here, and what exact commands do I run? It is read-only and prints a before-muting checklist, a recommendation, and `disable-rule` / `enable-rule` commands.
 
+When filing a false-positive issue, include redacted `jester summary` output and `jester tune <rule-id> --json` output when possible.
+
 Use `jester tune coverage` when maintaining the rule set. It ranks every rule by fixture support and confidence, shows expected vs unexpected fixture weight, and suggests the next maintenance action for each rule.
 
 `jester tune` now also includes fixture evidence:

package/docs/DEMO.md

@@ -347,6 +347,8 @@ Preset packs:
 
 The fixture suite in `examples/fixtures/preset-review-cases.json` captures small real-usage examples with expected `pass`, `caution`, or `block` verdicts. These examples are run by `npm test`, so preset tuning changes stay visible.
 
+Maintainers can use `docs/MAINTAINER_TRIAGE.md` to turn useful false-positive reports into redacted fixture cases.
+
 ## 14. Framework CI Examples
 
 The workflow examples in `examples/ci` show copy-paste GitHub Actions setups for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. Each workflow uploads SARIF and writes the readable Jester job summary.

package/docs/GETTING_STARTED.md

@@ -108,4 +108,14 @@ Then tell them to open `MEMENTO_MORI.md`.
 
 For copy-paste agent and hook examples, see [examples](../examples). For stack-specific config examples, see [preset example packs](../examples/presets) for Next.js, Vite React, Express API, FastAPI, Terraform/Kubernetes, and AI MCP repos. For copy-paste CI workflows, see [framework CI examples](../examples/ci). For concrete pass, caution, and block cases, see [review fixtures](../examples/fixtures).
 
+## Need Help?
+
+Run this before opening a bug report:
+
+```powershell
+npx -y memento-mori-jester@latest doctor --json
+```
+
+Use the GitHub false-positive template for noisy rules and include `jester tune <rule-id> --json` when possible. For vulnerabilities, private code exposure, or credential-handling concerns, follow [SECURITY.md](../SECURITY.md) instead of posting sensitive details publicly.
+
 For where this is going next, see [ROADMAP.md](../ROADMAP.md).

package/docs/MAINTAINER_TRIAGE.md

@@ -0,0 +1,105 @@
+# Maintainer Triage
+
+This guide turns support reports into repeatable maintenance work. The goal is simple: every useful bug or false-positive report should either become a clearer answer, a better fixture, or a focused code change.
+
+## First Response
+
+Ask for redacted diagnostics when they are missing:
+
+```powershell
+npx -y memento-mori-jester@latest doctor --json
+```
+
+For noisy rule reports, also ask for:
+
+```powershell
+npx -y memento-mori-jester@latest summary --kind <command|plan|diff|final> "<minimal input>"
+npx -y memento-mori-jester@latest tune <rule-id> --json
+```
+
+Do not ask users to paste secrets, private code, customer data, live credentials, complete CI logs, or unredacted SARIF. If the report involves credential exposure, command execution, unexpected network access, private code disclosure, package publishing, or MCP data exposure, route it through [SECURITY.md](../SECURITY.md).
+
+## Triage Labels
+
+Use a small, boring label vocabulary:
+
+- `bug`: behavior is broken or misleading.
+- `false-positive`: Jester warned or blocked when the minimal example should probably pass.
+- `rules`: rule matching, severity, fixture evidence, or tuning behavior.
+- `docs`: documentation is unclear or missing.
+- `enhancement`: a new command, preset, workflow, or larger product idea.
+- `security`: only for public tracking with no sensitive details; private details belong in the security report flow.
+
+## False-Positive Decision Tree
+
+1. Confirm the minimal input reproduces on `latest` or local `main`.
+2. Identify the rule id from `summary` output.
+3. Run `jester tune <rule-id> --json` and inspect `fixtureEvidence`.
+4. Decide whether the current behavior is:
+   - expected and should be explained,
+   - noisy but acceptable with tuning guidance,
+   - a fixture gap,
+   - a rule bug,
+   - or a preset mismatch.
+
+If the user has a safe example that should pass, prefer adding a pass fixture before loosening a rule. If the example should still caution but the wording is confusing, update the rule guidance or docs instead of changing matching behavior.
+
+## Converting Reports Into Fixtures
+
+Add a fixture when the report is minimal, redacted, realistic, and captures a rule behavior worth preserving.
+
+Good fixture candidates:
+
+- use the smallest command, plan, diff, or final answer that reproduces the behavior,
+- identify the preset or default config needed to reproduce it,
+- include the expected verdict,
+- include the expected rule id when the fixture should cover a specific rule,
+- include `expectedMatches` for intentional multi-rule overlaps,
+- include `weight` when the case should strongly influence tuning confidence,
+- set `edgeCase: true` when the example is useful but unusual.
+
+Avoid fixtures that:
+
+- contain secrets, private paths, private code, customer data, or identifiable logs,
+- depend on network calls, local machine state, dates, or npm/GitHub availability,
+- encode a one-off project preference as a global default,
+- duplicate an existing fixture without adding a new rule, preset, kind, or edge case.
+
+## Fixture Workflow
+
+1. Add or edit a case in [examples/fixtures/preset-review-cases.json](../examples/fixtures/preset-review-cases.json).
+2. Keep fixture IDs stable and descriptive, for example `web-localstorage-token-pass-2`.
+3. Prefer deterministic content over full real-world excerpts.
+4. Run:
+
+```powershell
+npm.cmd test
+node .\dist\cli.js tune <rule-id>
+node .\dist\cli.js tune <rule-id> --json
+node .\dist\cli.js tune coverage
+```
+
+5. Check whether support/confidence changed in the expected direction.
+6. If the fixture changes verdict behavior, mention the exact rule impact in `CHANGELOG.md`.
+
+## When To Change A Rule
+
+Change rule logic only when fixtures show the current matcher is broadly wrong or too blunt. Keep the change small:
+
+- preserve existing JSON output shapes unless the release explicitly changes them,
+- add pass and caution/block fixtures around the boundary,
+- update `jester rule <id>` guidance when the safe alternative or tuning advice changes,
+- keep docs-only noise suppression conservative,
+- never suppress project custom rules globally.
+
+## Closing Notes
+
+Close with the command users can run next. Good closes include:
+
+```powershell
+npx -y memento-mori-jester@latest tune <rule-id>
+npx -y memento-mori-jester@latest config disable-rule <rule-id>
+npx -y memento-mori-jester@latest config validate
+```
+
+If the report produced a fixture, mention the fixture ID in the issue. That gives future maintainers a trail from user pain to test coverage.

package/docs/PRODUCTION_READINESS.md

@@ -15,6 +15,7 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - `package.json` includes repository, homepage, bugs, binaries, exports, public package files, and public publish access.
 - `package-lock.json` version matches `package.json`.
 - `npm run pack:dry` confirms the package includes `dist`, `docs`, `examples`, `scripts`, `README.md`, `CHANGELOG.md`, `ROADMAP.md`, and `LICENSE`.
+- `SECURITY.md` ships with the package so vulnerability reporting guidance is visible from the repository and npm tarball.
 - `prepublishOnly` runs tests and a package dry run for local publish attempts.
 
 ## GitHub Action
@@ -48,6 +49,9 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - Package metadata points bug reports at the GitHub issues page.
 - `jester doctor --json`, `jester config validate`, and `jester rules` are the first troubleshooting commands.
 - `jester tune`, `jester tune coverage`, and the fixture suite give maintainers a way to inspect noisy rules before changing defaults.
+- GitHub issue templates collect bug reports, false-positive reports, and feature requests with the diagnostic context maintainers need.
+- `SECURITY.md` routes vulnerability reports away from public issues and asks for redacted diagnostics.
+- `docs/MAINTAINER_TRIAGE.md` explains how to turn useful false-positive reports into fixture coverage before changing rule logic.
 - npm publish has a manual workflow fallback, but the normal release path is tag-driven trusted publishing.
 
 ## Static Guard
@@ -58,11 +62,13 @@ This checklist defines what "production grade" means for Memento Mori Jester rig
 - package metadata and public package files are present,
 - CI, release, publish, and composite action workflows use the expected runtime and steps,
 - onboarding docs mention the important adoption paths,
-- production readiness documentation covers package, GitHub Action, MCP, git hooks, docs, and support.
+- production readiness documentation covers package, GitHub Action, MCP, git hooks, docs, and support,
+- `SECURITY.md` and GitHub issue templates exist and ask for the right diagnostics.
+- maintainer triage docs exist and link noisy-rule reports back to fixture coverage.
 
 `npm test` runs this check after the TypeScript build and unit tests.
 
 ## Known Next Gaps
 
-- Add `SECURITY.md` and issue templates for clearer support intake.
 - Continue expanding pass-case fixtures from real-world usage so false-positive tuning remains evidence-based.
+- Add more framework-specific false-positive examples as people report real noisy cases.

package/docs/RELEASE.md

@@ -17,7 +17,7 @@ Move the current changelog bullets into a matching version section and add `docs
 ## 2. Tag And Push
 
 ```powershell
-git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md
+git add package.json package-lock.json CHANGELOG.md docs/RELEASE_NOTES_v0.1.x.md docs/PRODUCTION_READINESS.md docs/MAINTAINER_TRIAGE.md SECURITY.md .github/ISSUE_TEMPLATE
 git commit -m "Release v0.1.x"
 git tag -a v0.1.x -m "Memento Mori Jester v0.1.x"
 git push origin main

package/docs/RELEASE_NOTES_v0.1.50.md

@@ -0,0 +1,28 @@
+# v0.1.50 Release Notes
+
+This release adds clearer public support intake so bug reports, false-positive reports, feature requests, and security reports arrive with the context maintainers need.
+
+## What Changed
+
+- Added `SECURITY.md` with vulnerability reporting guidance, scope, and safe redaction expectations.
+- Added GitHub issue templates for bug reports, false positives/noisy rules, and feature requests.
+- Added GitHub issue-template contact links for security reports and getting-started docs.
+- Updated README and production-readiness docs so `jester doctor --json` and issue templates are part of the support contract.
+- Expanded `npm run production:check` so future releases keep the security policy and issue templates in place.
+
+## Behavior Notes
+
+- No CLI, MCP, config, rule, playground, GitHub Action runtime, or release automation behavior changed.
+- `SECURITY.md` is now included in the npm package file list.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run production:check
+npm.cmd run demo:svg:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js doctor --json
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.50 support intake"
+```

package/docs/RELEASE_NOTES_v0.1.51.md

@@ -0,0 +1,29 @@
+# v0.1.51 Release Notes
+
+This release adds a maintainer triage guide so support reports can feed back into better fixture coverage and rule tuning.
+
+## What Changed
+
+- Added `docs/MAINTAINER_TRIAGE.md`.
+- Documented the first-response diagnostic commands for bug and false-positive reports.
+- Added a false-positive decision tree for deciding between explanation, tuning guidance, fixture coverage, rule fixes, and preset fixes.
+- Updated `examples/fixtures/README.md` with guidance for converting safe reports into redacted fixture cases.
+- Updated README, demo docs, roadmap, changelog, release docs, and production readiness docs.
+- Expanded `npm run production:check` so maintainer triage and fixture-conversion guidance remain part of the release contract.
+
+## Behavior Notes
+
+- No CLI, MCP, config, rule, playground, GitHub Action runtime, or release automation behavior changed.
+- This is a support and maintenance release.
+
+## Release Validation
+
+```powershell
+npm.cmd test
+npm.cmd run production:check
+npm.cmd run demo:svg:check
+npm.cmd run pack:dry
+git diff --check
+node .\dist\cli.js doctor --json
+git diff | node .\dist\cli.js diff --fail-on block --subject "v0.1.51 maintainer triage"
+```

package/examples/fixtures/README.md

@@ -4,6 +4,8 @@ These fixtures are small, real-usage-shaped examples for preset tuning. They are
 
 The fixture file is [preset-review-cases.json](preset-review-cases.json).
 
+Maintainer triage guidance lives in [docs/MAINTAINER_TRIAGE.md](../../docs/MAINTAINER_TRIAGE.md).
+
 ## What They Cover
 
 - Documentation-only diffs that should stay quiet.
@@ -24,3 +26,16 @@ For one-off manual review, paste a fixture `content` value into:
 ```powershell
 npx -y memento-mori-jester@latest playground
 ```
+
+## Adding A Fixture From A Report
+
+Use the smallest redacted example that still reproduces the behavior. A good fixture records:
+
+- the review `kind`,
+- the preset or config needed to reproduce it,
+- the expected verdict,
+- the rule ids that should match,
+- any intentional overlaps in `expectedMatches`,
+- and whether the case is an unusual `edgeCase`.
+
+Do not add secrets, private code, customer data, complete logs, or machine-specific paths. If a false-positive report is safe but broad, add a passing fixture before loosening a rule.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "memento-mori-jester",
-  "version": "0.1.49",
+  "version": "0.1.51",
   "description": "A local court-jester sidecar for AI coding agents: review plans, commands, diffs, and final claims before they get too pleased with themselves.",
   "type": "module",
   "repository": {
@@ -32,6 +32,7 @@
     "scripts",
     "CHANGELOG.md",
     "LICENSE",
+    "SECURITY.md",
     "README.md",
     "ROADMAP.md"
   ],

package/scripts/check-production-readiness.mjs

@@ -50,11 +50,17 @@ for (const path of [
   "CHANGELOG.md",
   "ROADMAP.md",
   "LICENSE",
+  "SECURITY.md",
   "docs/RELEASE.md",
   "docs/TRUSTED_PUBLISHING.md",
   "docs/PRODUCTION_READINESS.md",
+  "docs/MAINTAINER_TRIAGE.md",
   `docs/RELEASE_NOTES_${tag}.md`,
   "action.yml",
+  ".github/ISSUE_TEMPLATE/bug_report.yml",
+  ".github/ISSUE_TEMPLATE/false_positive.yml",
+  ".github/ISSUE_TEMPLATE/feature_request.yml",
+  ".github/ISSUE_TEMPLATE/config.yml",
   ".github/workflows/ci.yml",
   ".github/workflows/npm-publish.yml",
   ".github/workflows/release.yml",
@@ -74,6 +80,9 @@ requireText("README.md", /doctor --json/, "doctor JSON support guidance");
 requireText("README.md", /config recommend/, "preset recommendation onboarding");
 requireText("README.md", /setup --agent codex/, "Codex setup onboarding");
 requireText("README.md", /github-action --write/, "GitHub Action onboarding");
+requireText("README.md", /SECURITY\.md/, "security policy link");
+requireText("README.md", /false-positive/i, "false-positive support guidance");
+requireText("README.md", /MAINTAINER_TRIAGE\.md/, "maintainer triage guide link");
 requireText("README.md", /License: PolyForm Noncommercial/, "the noncommercial license badge");
 requireText("docs/PRODUCTION_READINESS.md", /npm package/i, "npm package readiness");
 requireText("docs/PRODUCTION_READINESS.md", /GitHub Action/i, "GitHub Action readiness");
@@ -81,9 +90,26 @@ requireText("docs/PRODUCTION_READINESS.md", /MCP/i, "MCP readiness");
 requireText("docs/PRODUCTION_READINESS.md", /git hooks/i, "git hook readiness");
 requireText("docs/PRODUCTION_READINESS.md", /support/i, "support readiness");
 requireText("docs/PRODUCTION_READINESS.md", /doctor --json/, "doctor JSON support diagnostics");
+requireText("docs/PRODUCTION_READINESS.md", /SECURITY\.md/, "security policy readiness");
+requireText("docs/PRODUCTION_READINESS.md", /issue templates/i, "issue template readiness");
+requireText("docs/PRODUCTION_READINESS.md", /MAINTAINER_TRIAGE\.md/, "maintainer triage readiness");
 requireText("docs/CLI.md", /jester doctor --json/, "doctor JSON CLI docs");
-
-for (const publicFile of ["dist", "docs", "examples", "scripts", "CHANGELOG.md", "LICENSE", "README.md", "ROADMAP.md"]) {
+requireText("docs/MAINTAINER_TRIAGE.md", /doctor --json/, "doctor JSON triage prompt");
+requireText("docs/MAINTAINER_TRIAGE.md", /tune <rule-id> --json/, "tune JSON triage prompt");
+requireText("docs/MAINTAINER_TRIAGE.md", /preset-review-cases\.json/, "fixture suite link");
+requireText("docs/MAINTAINER_TRIAGE.md", /expectedMatches/, "fixture overlap guidance");
+requireText("examples/fixtures/README.md", /MAINTAINER_TRIAGE\.md/, "maintainer triage link");
+requireText("examples/fixtures/README.md", /Adding A Fixture From A Report/, "fixture report conversion guidance");
+requireText("SECURITY.md", /doctor --json/, "doctor JSON redaction guidance");
+requireText("SECURITY.md", /security\/advisories\/new/, "private vulnerability report link");
+requireText(".github/ISSUE_TEMPLATE/bug_report.yml", /doctor --json/, "doctor JSON support prompt");
+requireText(".github/ISSUE_TEMPLATE/bug_report.yml", /SECURITY\.md|security policy/i, "security redirect");
+requireText(".github/ISSUE_TEMPLATE/false_positive.yml", /jester tune <rule-id> --json/, "tune JSON prompt");
+requireText(".github/ISSUE_TEMPLATE/false_positive.yml", /false-positive|noisy rule/i, "false-positive scope");
+requireText(".github/ISSUE_TEMPLATE/feature_request.yml", /local-first and deterministic/, "project constraint prompt");
+requireText(".github/ISSUE_TEMPLATE/config.yml", /security\/advisories\/new/, "security contact link");
+
+for (const publicFile of ["dist", "docs", "examples", "scripts", "CHANGELOG.md", "LICENSE", "SECURITY.md", "README.md", "ROADMAP.md"]) {
   requirePackageFile(packageJson, publicFile);
 }